Jump to content
Sign in to follow this  

Sophisticated PDF exploit

Recommended Posts

Link provided in GRC newgroups by paradoX and Al:


...Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included java scri_pt in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here).

After extracting the included java scri_pt code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long! Initially I even thought that it does not work, but after studying it a little bit, I found that this particular PDF document has some very interesting, sophisticated characteristics. ...

Lessons learned

Not only was this a very interesting example of a malicious PDF document carrying a sophisticated "war head", but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims. ...

Which should be enough to make one check that their PDF reader has java scri_pt disabled. Adobe Reader 9 Edit-Preferences-java scri_pt (uncheck top box). Not sure about browser 'helper' applications. Note these may be targeted attacks with very plausible cover stories and AV detection rates may be low/very low (I see Symantec have removed themselves from the VirusTotal battery again - lor' bless 'em).

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this